Make the DPI certificate signed by a trusted center

Products Endpoint Protector Ideas
, ,
1

What is a one sentence summary of your feature request?

Make the DPI certificate signed by a trusted center.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Hello!

Recently, one of the customers has encountered the issue while working with Node.js:
When attempting to install private packages npm fails with the following error:
“Error: unable to get local issuer certificate”

Investigation shows that:

  • The Artifactory server presents a valid certificate chain only partially;
  • The certificate is issued by an internal CA that is not included in Node.js trusted roots;
  • While macOS trusts the certificate (via Keychain), Node.js does not because it uses its own CA bundle;

To work around this, customer must manually:

  • Extract the full certificate chain via openssl s_client
  • Export it to a .pem file
  • Set npm config set ca file ~/*chain.pem
    This workaround is fragile and not scalable. Ideally, the full chain should be presented by the server or distributed via system tools like NODE_EXTRA_CA_CERTS or OS-level trust store sync.

So, summarizing this information, would it be possible to make the DPI certificate signed by a trusted center to prevent similar issues?

How do you currently solve the challenges you have by not having this feature?

Hello!

Recently, one of the customers has encountered the issue while working with Node.js:
When attempting to install private, packages npm fails with the following error:
Error: unable to get local issuer certificate

Investigation shows that:

  • The Artifactory server presents a valid certificate chain only partially;
  • The certificate is issued by an internal CA that is not included in Node.js trusted roots;
  • While macOS trusts the certificate (via Keychain), Node.js does not because it uses its own CA bundle;

To work around this, customer must manually:

  • Extract the full certificate chain via openssl s_client
  • Export it to a .pem file
  • Set npm config set ca file ~/*chain.pem
    This workaround is fragile and not scalable. Ideally, the full chain should be presented by the server or distributed via system tools like NODE_EXTRA_CA_CERTS or OS-level trust store sync.

So, summarizing this information, would it be possible to make the DPI certificate signed by a trusted center to prevent similar issues?

2

Hi Danylo,

Thank you for sharing your valuable idea with us!

We appreciate your input and want to let you know that we are currently exploring this redesign. However, we are unable to provide further specific details or a timeline at this moment. We kindly ask you to stay tuned, and we will keep you informed with any updates as soon as they become available.

Regards,
Simona